Software

ShrinkWrap - VTV extension for protecting VTables

C++ is a popular, fast, object-oriented (OO) language used to develop
some of the most popular software, such as Web browsers, including
Chrome and Mozilla. OO languages, such as C++, support run-time
method binding, i.e., determining the method to be called based on the
run-time type of an object, instead of the static type of the pointer
pointing to that object. Modern compilers typically provide this
functionality through VTables, which provide an efficient way to call
the correct method at run time. Unfortunately, VTables are based on
indirect calls, i.e., virtual calls, which is what makes them a
prominent target for hijacking the control flow of a program.
While multiple source- and binary-based solutions for protecting
VTables have been proposed already, we found that in practice they are
too conservative, which allows determined attackers to circumvent
them. In this paper we delve into the design of C++ VTables and match
that knowledge against the now industry standard protection scheme of
VTV. We designed a new approach that significantly refines VTV, to
offer a provably optimal protection scheme. As we build on top of VTV,
we preserve all of its advantages in terms of software compatibility
and overhead. Thus, our proposed design comes for free for any user
today. Besides the design we also develop a testing methodology, which
can be used by future developers to validate their implementations.
ShrinkWrap was evaluated using Google Chrome.
Get the software!

Virtual Partitioning

Applications can be logically separated to parts that face different
types of threats, or suffer dissimilar exposure to a particular threat
because of external events or innate properties of the software. Based
on this observation, we propose the virtual partitioning of
applications that will allow the selective and targeted application of
those protection mechanisms that are most needed on each partition, or
manage an application’s attack surface by protecting the most exposed
partition. We demonstrate the value of our scheme by introducing a
methodology to automatically partition software, based on an intrinsic
property such as user authentication. Our approach is able to
automatically determine the point where the user authenticates,
without access to source code. At runtime, we partition binaries using
a binary monitor that utilizes the identified authentication points to
split execution to pre- and post-authentications parts, and adapts
defenses by switching between protection mechanisms of varied
intensity, such as dynamic taint analysis and instruction-set
randomization.
Get the software!

REASSURE

REASSURE is a tool based on Intel's PIN dynamic instrumentation
framework that implements software self-healing using rescue points.
Rescue points are existing code locations that handle certain
anticipated errors in the target application, usually by returning an
error code. REASSURE is a self-contained mechanism to enable the use
of such rescue points on binary-only software, without any changes in
the operating system. REASSURE won best paper award in IWSEC'11, in
Tokyo, Japan.
REASSURE is currently not available.

libdft

libdft is a framework based on Intel's PIN dynamic instrumentation
framework that provides dynamic data flow tracking (DFT) for x86
binaries. DFT can be used to track data while a program is executing,
and powers techniques like Dynamic Taint Analysis (DTA) that can be
used to harden software. This work appeared in VEE'12.
Get the software!

ISRuPIN

ISRuPIN is a tool based on Intel's PIN dynamic instrumentation
framework that implements instruction-set randomization for x86
binaries in Linux. It is relatively lightweight, and it supports
shared libraries and multiple randomization keys. This work appeared
in ACSAC'10.
Get the software!

Paranoid Android

Paranoid Android (PA)
is a framework that transparently and faithfully replicates the
execution of lightweight devices such as smartphones. By replicating
execution on more powerful hardware, PA can apply multiple and
diverse security checks on the replica to detect even zero-day
attacks. Our prototype works on Google’s Android system. This work
appeared in ACSAC'10.
PA can be made available on request.

Eudaemon

Eudaemon
is a framework for dynamically switching a native application from
executing natively to executing under dynamic taint analysis. It is
based on Qemu’s user-space emulator. Our work on Eudaemon was
published in EuroSys’08.
Eudaemon can be made available on request.

Argos

The Argos secure emulator is a whole system emulator (based on the
Qemu emulator) that employs dynamic taint analysis to detect zero-day
attacks (such as buffer-overflows, dangling pointers, etc). Argos is
primarily used to to host honeypots, and analyze the detected attacks.
Our work on Argos was published in EUROSYS’06.
Go to site! |
Get the software!

FFPF

FFPF
is an operating system I/O subsystem that
minimizes copying and context switching in the Linux kernel. FFPF was
published in OSDI’04. FFPF is now Streamline thanks
to Willem De Bruijn.
Go to site!